AWS bedrock-agentcore documentation change
Summary
Updated documentation for VPC egress features: removed beta service notices, changed configuration key from 'managedLatticeResource' to 'managedVpcResource', updated routing domain description, added notes about private endpoint configuration for OpenAPI and Smithy targets, and enhanced private identity provider section to reflect native support.
Security assessment
The changes document enhanced security features for connecting to private resources within VPCs, including native support for private OAuth identity providers. This improves security by enabling connections to self-hosted IdPs without internet exposure. However, there is no evidence of addressing a specific security vulnerability or incident; these are feature enhancements and documentation improvements.
Diff
diff --git a/bedrock-agentcore/latest/devguide/gateway-vpc-egress.md b/bedrock-agentcore/latest/devguide/gateway-vpc-egress.md index 9f1f81980..e6d6995b7 100644 --- a//bedrock-agentcore/latest/devguide/gateway-vpc-egress.md +++ b//bedrock-agentcore/latest/devguide/gateway-vpc-egress.md @@ -7 +7 @@ -MCPOpen API targetSmithy targetAPI GatewayLambdaWorkaround for private identity providersLimitations and considerations +MCPOpen API targetSmithy targetAPI GatewayLambdaPrivate identity providersLimitations and considerations @@ -23,4 +22,0 @@ AgentCore Gateway supports connecting to self-hosted MCP servers running inside -###### Important - -VPC egress with private endpoints is made available as a "Beta Service" as defined in the AWS Service Terms. - @@ -33 +29 @@ The following example creates a private MCP server target using managed Lattice: - "managedLatticeResource": { + "managedVpcResource": { @@ -49 +45 @@ The following example creates a private MCP server target using managed Lattice: -If your MCP server uses a domain that is not publicly resolvable (for example, a private hosted zone in Route 53), you must also specify a `routingDomain` . For more information, see [Workaround for private DNS support: routing domain](./vpc-egress-private-endpoints.html#lattice-vpc-egress-routing-domain). +If you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer, you can specify a `routingDomain` . For more information, see [Route traffic through an intermediate domain](./vpc-egress-private-endpoints.html#lattice-vpc-egress-routing-domain). @@ -133,4 +128,0 @@ You can configure Open API targets to reach private endpoints inside your VPC us -###### Important - -VPC egress with private endpoints is made available as a "Beta Service" as defined in the AWS Service Terms. - @@ -143 +135 @@ The following example creates a private OpenAPI target using managed Lattice: - "managedLatticeResource": { + "managedVpcResource": { @@ -159 +151 @@ The following example creates a private OpenAPI target using managed Lattice: -If your endpoint uses a domain that is not publicly resolvable, you must also specify a `routingDomain` . For more information, see [Workaround for private DNS support: routing domain](./vpc-egress-private-endpoints.html#lattice-vpc-egress-routing-domain). +If you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer, you can specify a `routingDomain` . For more information, see [Route traffic through an intermediate domain](./vpc-egress-private-endpoints.html#lattice-vpc-egress-routing-domain). @@ -164,0 +157,4 @@ For self-managed Lattice, cross-account setups, and advanced configurations, see +###### Note + +The `privateEndpoint` configuration applies to a single domain in your OpenAPI schema. If your schema references multiple server endpoints with different domains, open an [AWS Support case](https://console.aws.amazon.com/support/home) to request support for `privateEndpointOverrides`. + @@ -167 +163 @@ For self-managed Lattice, cross-account setups, and advanced configurations, see -Private endpoint ( `privateEndpoint` ) configuration is not currently supported for Smithy targets. +Private endpoint ( `privateEndpoint` ) configuration is not currently supported for Smithy targets. If your Smithy target requires private connectivity, open an [AWS Support case](https://console.aws.amazon.com/support/home) to request support. @@ -259 +255 @@ API Gateway targets with private endpoints are not natively supported. However, - "managedLatticeResource": { + "managedVpcResource": { @@ -288 +284,5 @@ AgentCore Gateway supports Lambda targets as one of it target types, allowing se -## Workaround for private identity providers +## Private identity providers + +AgentCore now supports connecting to private OAuth identity providers for both inbound JWT authorization and outbound OAuth credential providers. This enables you to use self-hosted IdPs such as Keycloak, PingFederate, or other OIDC-compliant authorization servers running inside your VPC without exposing them to the public internet. + +For detailed configuration instructions, see [Connect to private identity providers in your VPC](./identity-private-idp.html). @@ -290 +290 @@ AgentCore Gateway supports Lambda targets as one of it target types, allowing se -Configuring a private (VPC-hosted) OAuth identity provider for AgentCore Gateway inbound authorization is not yet natively supported. As a workaround, you can use an interceptor Lambda function for inbound authentication and override the Authorization header in the interceptor Lambda for use with outbound auth. +Alternatively, you can use an interceptor Lambda function for inbound authentication and override the Authorization header in the interceptor Lambda for use with outbound auth: @@ -306 +306 @@ Configuring a private (VPC-hosted) OAuth identity provider for AgentCore Gateway -For additional limitations related to private DNS resolution, cross-account connectivity, and DNS TTL configuration, see [Limitations and considerations](./vpc-egress-private-endpoints.html#lattice-vpc-egress-limitations) in [Connect to private resources in your VPC using VPC Lattice](./vpc-egress-private-endpoints.html). +For additional limitations related to cross-account connectivity and DNS TTL configuration, see [Limitations and considerations](./vpc-egress-private-endpoints.html#lattice-vpc-egress-limitations) in [Connect to private resources in your VPC using VPC Lattice](./vpc-egress-private-endpoints.html).